Perennial issues around the Sarbanes-Oxley Act financial disclosure laws, along with new privacy-related regulations and industry self-policing efforts, are sending shock waves across many sectors. Retailers and other organizations that were once solely focused on narrow mission statements have suddenly become subject to a slew of new reporting and auditing requirements.
Often, the first instinct is to react furiously to avoid penalties and potentially negative press. Giving in to this impulse, however, is a response that could cost corporations plenty, warn this year's IT leaders, some of whom represent industries such as banking and health care, where compliance is a way of life.
Instead of scurrying to slay regulatory requirements one at a time, devise broad compliance strategies that take on several reporting tasks and simultaneously fulfill the obligations that stem from several statutes or regulatory bodies. Along the way, use compliance to shore up operations overall, seasoned executives advise.
"Compliance pressures are now manyfold, and people are failing to realize that they need to look beyond the immediate challenge," notes Michael Rasmussen, an analyst at Forrester Research Inc. in Cambridge, Mass. "Another common mistake is to focus on compliance as a project, instead of an ongoing process."
The big picture
Within the financial services industry, the presence of government and industry regulators is almost palpable. "The issue of compliance in banking has been around forever, so Sarbanes-Oxley has not been a huge shock to our industry the way it has been to others," says Joseph McCartin, senior vice president and CIO at Cleveland-based National City Corp. National City is a financial holding company with a banking network that stretches across several states, including Illinois, Kentucky, Missouri and Michigan.
The long history of dealing with a multitude of regulations, however, has led National City and other financial services firms to build a plethora of systems. But ironically, new statutes are forcing integration. One example is the USA Patriot Act, which requires banks to obtain key information about customers in order to identify potential national security threats. "We have this mishmash of platforms. Now, with 'know your customer' kinds of mandates, we are undergoing a lot of data consolidation," McCartin says.
Based on his experiences, McCartin strongly suggests that others steer clear of one-off compliance solutions. "Try to avoid knee-jerk compliance," he says. "Invest in common data stores, and consciously drive your solutions. Don't just wait for the next set of regulations and build a new system every time to chase the nuances."
Better yet, think beyond even the series of regulations your enterprise may ultimately face, and figure out how compliance can actually strengthen your company, suggests Steven Naylor, vice president and director of IT at Federal Home Loan Bank of Topeka (FHLBank). "Although our goal is to be compliant, we also assure the work is making us a stronger company and that we are not just 'meeting the audit requirement,'" he says.
For enterprises that are new to stringent reporting requirements such as those contained in the Sarbanes-Oxley Act, just building the data management systems that are necessary to meet audits can impose discipline and reinforce operations.
"I think we've matured as an organization in terms of our document processes," notes David Oles, IT director of research and development at Rent-A-Center Inc. in Plano, Texas. "Don't get me wrong -- nobody likes these exercises, and it's been a tough year for us because of them. But I do think we are better off than we were before."
A large component of compliance involves the treatment of electronic records vs. paper documents, which is new territory even for heavily regulated industries. It's a challenge that hits enterprises struggling for the first time to absorb new requirements and plan new systems as well as for those corporations retrofitting the platforms already in place to integrate reporting data.
A clean slate
But such was not the case for Baptist Health of Northeast Florida in Jacksonville. In February, Baptist Health opened a brand-new hospital that was to contain no paper medical records. Because the facility was the first of its kind in the country, Senior Vice President and CIO Roland Garcia and his staff had to make sure hospital operations weren't too far out in front of regulatory requirements.
"There is a certain amount of risk because this is a green-field opportunity," says Garcia. "We had to make sure the electronic records we deployed met regulatory requirements that stipulate what makes up a medical record and what qualifies as retention."
Risk management and legal teams were heavily involved in ensuring that Baptist Health's purely electronic environment complied with major health care statutes such as the Health Insurance Portability and Accountability Act. "This was an effort that involved many task forces," Garcia says.
Along with task forces for ironing out initial compliance policies and practices, IT leaders strongly recommend designating officials and resources to make sure an enterprise stays within the parameters of applicable statutes.
"We have an executive vice president of risk management and an entire organization we partner with to make sure we comply with all of the regulations we face," says McCartin.
In the end, covering your bases and parlaying compliance into a boost for your company is the name of the game.
"We make sure the controls we put in place are designed in a way that makes them meaningful for our company," explains FHLBank's Naylor.
-- McAdams is a freelance writer in Vienna, Va. Contact her at jjwriterva@aol.com.